In Windows environments when a service is registered with the system a new key is created in the registry which contains the binary path. Even though that this escalation vector is not very common due to the fact that write access to the services registry key is granted only to Administrators by default however it should not be omitted by the penetration tester as another possible check.

The process of privilege escalation via insecure registry permissions is very simple. Registry keys for the services that are running on the system can be found in the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

If a standard user has permissions to modify the registry key “ImagePath” which contains the path to the application binary then he could escalate privileges to system as the Apache service is running under these privileges.

ImagePath Registry Key

The only thing that is required is to add a registry key that will change the ImagePath to the location of where the malicious payload is stored.